Users can restrict permission to content documents and e-mail
messages in the 2007 Microsoft Office system by using Information
Rights Management (IRM). You can configure IRM options in your
organization to encrypt document properties for IRM content,
specify the down-level text that appears when users without
IRM-enabled software receive content with IRM permissions, and so
on.

Note:

This topic is for Office administrators. To learn about using
IRM to apply permissions to Office documents or e-mail messages,
see Information Rights
Management on Office Online.

Configuring IRM Group Policy settings

You can lock down many settings to customize IRM by using the
Office Group Policy template (Office12.adm). You can also use the
Office Customization Tool (OCT) to configure default
settings, which enables users to change the settings. The OCT
settings are in corresponding locations on the Modify user
settings page of the OCT. In addition, there are IRM
configuration options that can only be configured by using registry
key settings. For a list of all IRM registry keys, see Configuring IRM registry key options.

Double-click the option that you want to configure. For example,
to prevent users from applying IRM permissions in all Office
applications, double-click Disable Information Rights Management
User Interface.

Click Enabled.

Click OK.

The settings you can configure for IRM in Group Policy and by
using the OCT are listed in the following table.

IRM option

Description

Prevent users from changing permission on rights managed
content

Users can consume content that already includes IRM permissions,
but cannot apply IRM permissions to new content nor edit the rights
on a document.

Message displayed to users who cannot view a rights-managed
e-mail

Specify the text of the wrapper e-mail message sent with
rights-managed e-mail.

URL for location of document templates displayed when
applications do not recognize rights-managed documents

Provide the path to a folder with document, spreadsheet, and
presentation files to be used as templates for an unencrypted
wrapper for files with rights-managed content received by users
with previous versions of Office.

Disable Information Rights Management User Interface

Disable all Rights Management-related options within the user
interface of all Office applications.

Additional permissions request URL

Specify the location where a user can obtain more information
about getting access to IRM content.

Allow users with earlier versions of Office to read with
browsers…

Enable users without the Microsoft Office 2007 system to view
rights-managed content by using the Rights Management Add-in for
Windows Internet Explorer.

Always required users to connect

Users opening a rights-managed Office document must connect to
the Internet or local area network to confirm by Passport or RMS
that they have a valid IRM license.

Always expand groups in Office when restriction permission for
documents

Group name is automatically expanded to display all the members
of the group when users apply permissions to a document by
selecting a group name in the Permissions dialog box.

Never allow users to specify groups when restricting permission
for documents

Return an error when users select a group in the Permission
dialog box: ''You cannot publish content to Distribution Lists. You
may only specify e-mail addresses for individual users.''

Active Directory timeout for querying one entry for group
expansion

Specify the timeout value for querying an Active Directory entry
when expanding a group.

Disable Microsoft Passport service for content with restricted
permission

Users cannot open content created by a Passport authenticated
account.

Specify Permission Policy Path

Display in the Permission dialog box permission policy templates
found in the folder specified.

Do not allow users to upgrade Information Rights Management
configuration

Do not allow users to run repair to change their Information
Rights Management configuration.

Configuring IRM registry key options

IRM settings can be configured by Group Policy, by registry key,
or both. The following tables list the IRM registry key settings in
2007 Office system and the corresponding Group Policy settings,
when the setting can be locked down by using Group Policy.

The following IRM registry settings are located in
HKCU\Software\Microsoft\Office\12.0\Common\DRM. Group Policy
settings are in User Configuration\Microsoft Office 2007
system\Manage Restricted Permissions.

Name of Reg Entry

Reg Entry Type

Values for Reg Entry

Group Policy setting or description

Disable

DWORD

0 = No functionality impacted by this registry key

1 = All IRM functionality is removed; IRM is disabled

Disable Information Rights Management User Interface

DisableCreation

DWORD

1 (or non-zero) = An Enterprise Install behaves just like a
Standard install. Users cannot create IRM content or edit the
rights on a doc, but they can consume previously created
content.

0 = IRM content creation is allowed when included in the product
SKU

Prevent users from changing permissions on rights managed
content

IncludeHTML

DWORD

1 = Include HTML stream

0 = Do not include HTML stream

Allow Users With Earlier Version of Office to Read With
Browsers

DownlevelText

String

The text that appears in the wrapper e-mail. The default text
is: If you are not running an e-mail application that supports
messages with restricted permission, such as Microsoft Office
Outlook 2003 or 2007, you can view this message by downloading the
Rights Management Add-on for Microsoft Internet Explorer from
http://r.office.microsoft.com/r/rlidRestrictedPermissionViewer?clid=1033.

The CLID in the hyperlink is localized to the default language
of the sender.

Message displayed to users who cannot view a rights-managed
e-mail

DownlevelTemplatePath

String

The path to a directory that stores templates. Templates are
Office document templates.

URL for location of document templates displayed when
applications do not recognize rights-managed documents

CorpCertificationServer

String

URL to corporate certification server

No corresponding Group Policy setting. Typically the AD is used
to specify the RMS server. This setting allows you to override the
location of the Windows RMS specified in Active Directory for
certification.

AdminTemplatePath

String

The path to the RMS templates. All templates should be stored in
the same directory. Path can include environment variables: for
example, %userprofile%\application data.

Specify Permission Policy Path

DisablePassportCertification

DWORD

0 = No functionality impacted by this reg key

1 = Disable passport

Disable Microsoft Passport service for content with
restricted permission

RequestPermissionURL

String

The URL of the person who can grant additional permissions. For
example: mailto:someone@contoso.com.

Additional Permissions Request URL

RequireConnection

DWORD

1 = The box is checked by default and a connection is
required.

0 = The box is cleared; users do not need a connection.

Always require users to connect to verify permissions

RequestPermission

DWORD

1 = The box is checked.

0 = The box is cleared.

No corresponding Group Policy setting. This registry key toggles
the default value of the "Users can request additional permissions
from" check box.

DoNotAcquireDRMLicenseOnSync

DWORD

1 = Outlook will not try to acquire licenses during the message
synchronization.

0 = The license is automatically acquired.

No corresponding Group Policy setting. When Outlook downloads an
IRM e-mail message, the license to view IRM content is
automatically acquired.

NeverAllowDLs

DWORD

0 = Allow distribution lists.

1 = Disable distribution lists.

Never allow users to specify groups when restricting
permission for documents

No corresponding Group Policy setting. The permissions dialog
uses Outlook to validate e-mail addresses entered in that dialog.
This causes an instance of Outlook to be started when restricting
permissions. Disable the option by using this key.

DisableRepair

DWORD

0 = Repair works normally.

1 = Repair is disabled.

Do not allow users to upgrade Information Rights Management
configuration

The following IRM registry setting is located in
HKCU\Software\Microsoft\Office\12.0\Common\DRM\AutoExpandDLs. The
corresponding Group Policy setting is in User
Configuration\Microsoft Office 2007 system\Manage Restricted
Permissions.

Name of Reg Entry

Reg Entry Type

Values for Reg Entry

Group Policy setting

AutoExpandDLsEnable

DWORD

0 = Do not expand distribution lists in Permissions dialog

1 = Expand distribution lists in Permissions dialog

Always expand groups in Office when restricting permissions
for documents

The following IRM registry setting is located in
HKCU\Software\Microsoft\Office\12.0\Common\DRM\LicenseServers.
There is no corresponding Group Policy setting.

Name of Reg Entry

Reg Entry Type

Values for Reg Entry

Description

LicenseServers

Key/Hive. Contains DWORD values that have the name of a license
server.

Set to the server URL. If the value of the DWORD is 1, then
Office will not prompt to acquire a license (it will just get
it).

If the value is zero or there is no registry entry for that
server, Office prompts for a license.

Example: If 'http://foo/_wmcs/licensing = 1' is a value for this
setting, then a user attempting to acquire a license from that
server to open a rights-managed document would not be prompted for
a license.

The following IRM registry setting is located in
HKCU\Software\Microsoft\Office\12.0\Common\Security. There is no
corresponding Group Policy setting.

For 2007 Office system Office Open XML file formats (for
example, docx, xlsx, pptx, and so on), users can decide to encrypt
the Office metadata stored inside a rights-managed file. Users can
encrypt all Office metadata, including hyperlink references, or
leave content unencrypted so other applications can access the
data.

Users can opt to encrypt the metadata by setting a registry key.
You can set a default option for users by deploying the registry
setting. There is no option for encrypting some of the metadata:
all metadata is encrypted or none is encrypted.

In addition, this registry setting does not determine whether
non-Office client metadata storage—such as the storage SharePoint
creates—is encrypted.

This encryption choice does not apply to Microsoft Office 2003
or other previous file formats. 2007 Office system handles earlier
formats in the same way as Microsoft Office 2003.